In remotely programmable devices, such as pacemakers, a controller or master device is used to send messages over a radiolink to an application program resident in the programmable device. In addition, the local receiver contains registers that control the radiolink or perhaps perform some type of calibration in the local slave device. These can be written to by sending messages over the radiolink. If an erroneous value is written into any of these registers, the radiolink may fail, or worse. It is therefore very important that any commands that are remotely sent to the receiver cannot harm any settings in the receiver.
The controller device might either directly write to a register in the slave device, or it might send a message to the slave device, which instructs the slave device to perform this action. The problem with the first solution is that it is not secure. A malevolent user (hacker) or an ignorant user might, for example, write to a register in a way that has the effect of causing the device to cease responding to commands over the radiolink, or worse. In the case of medical devices this could be critical because a broken link might result in the correct treatment being delayed, or worse.
The problem with the second solution, where the device itself performs the action, is that it prevents the controller from performing harmless functions directly, such as writing to the local registers in the transceiver.